If you have already set up Cloudflare Zero Trust for the tunnel, why not try that service for everything else as well? As long as you don't need more than 50 users, it is free for most things. Would be interesting to see their performance vs ZeroTier. Is it the VPS and DO that is the limiting factor or ZeroTier?
Just be aware that having a VPN means that the whole extended network is only as secure as the weakest component. Which might be a VPS or might be a laptop in a hotel room on hotel wi-fi.
I am running Ubuntu 20.04 on a protectli intel-based server where I have installed OpenVPN. Install and config of the server and client(s) takes several hours. I recall using a digital ocean install guide. But, the investment is useful and all the software is free. There are OpenVPN clients for all of my devices (iOS, macOS, windows) and I am able to access everything at home, including my node red config, NAS, security cameras, etc. while remote.
I have a dyndns account that I use to solve the revolving IP address issue. A cron job runs on the server nightly and will update dyndns when a router IP address change is detected. The dyndns host name is used in the openVPN client configs.
Seems to me there are some home routers that include OpenVPN host capability.
Hi Bart, a BIG fan of your nodes / tutorials here...
Sorry to jump into this post so late, it seems like you've already decided to take the ZT route, but I would advocate for CF on this one. IMHO it's way more easy to configure than any other alternative (I did try ZT first), it provides the SSL management lifecycle free and very easy to setup, it includes simple access controls (both for humans and machines accessing your LAN) integrated with major IdP in the case of humans, or rotating api-keys...
If I was able to set that up, anybody can
@lu4t,
Thanks for joining!!
Yes I had my mind already fully focussed on ZeroTier. And I REALLY like it.
But it seems indeed there is no way to exposes my endpoint via ZeroTier safely.
Which means I have to look at Cloudflare. What a pitty that I have to drop Zerotier
For the node-red-contrib-google-smarthome node endpoint, I got meanwhile also the advice to have a look at Cloudflare...
I will start by watching your video, so thanks for sharing that
would you mind to elaborate briefly why you cant expose endpoints with ZeroTier safely? I thought ZT is (relatively) safe. Or at least as safe as technology can be for a security novice like me
Or do you refer to your requirement with Google Voice and that you still would have to open ports if you used ZT?
Great to know, I save this thread in my bookmarks to follow its development then...
Since the video was recorded, many advancements have occurred in CF Zero Trust.
Tunnel configurations are now managed through the user interface, and access control has been seamlessly integrated.
To access the Node-RED editor (secured over SSL), I authenticate myself using either my Google or GitHub account. If I have 2FA enabled on either of these Identity Providers (IdPs), it is mandatory to use it. Endpoints to services available on my local network, in order to be routed through the CF CDN and reach my home via the tunnel, must have credentials (API keys) granting access at the path level (specifically to a particular path).
From a security standpoint, the Cloudflare tunnel operates similarly to Zero Tier, establishing only outgoing connections (without the need to open ports on the router). The advantage here is the presence of a CDN that acts as a proxy for HTTP, MQTT, SSH traffic, and more.
In my view: the service is great, and it's free (even if your private domain is not registered with them, they will let you manage it on their nameservers at no cost).
Yes indeed. From what I understand you can publish endpoint very safely WITHIN our virtual network of Zerotier. But you cannot safely expose an endpoint from one of the ZeroTier nodes to the outside (to be used by Google).
I am pretty sure that Cloudflare is awesome, but it is my (changed) mindset that is the problem. My father in law died a few months ago, and since them we are struggling a lot to get things up and running for my mother in law. And they have almost no electronics in home. So my lady asked me to document all my stuff how it is working in my house. So I am reviewing every part of it to (hopefully) make it a bit of understandable. But when I have already a quick look at CloudFlare Zero Trust, it is very obvious that they will never be able to maintain this. Unfortunately...
Suppose I keep using ZeroTier to connect safely (and easily) to my dashboard (and perhaps flow editor) from the internet on my Android phones. And that I setup automatically a tunnel on port 3001 via node-red-contrib-ngrok. I "assume" I could do it like this:
I create a free account on ngrox. Looks to me that the free version is good enough for my purpose:
I could do it more easy by not registering an account, but from the readme page of the node-red-contrib-ngrox node I see that the tunnel will be open then for max 8 hours. Which means that when I (automatically) create a new tunnel, I will get a new random generated url (e.g. https://84c5df474.ngrok-free.dev). So my old fulfillment url in the Google Actions console would not work anymore, and my voice control would fail.
I start automatically a tunnel for my free static ngrox domain.
I enter that fulfillment url in my Google Actions Console:
I pass these message somehow to the endpoint of the node-red-contrib-google-smarthome node. Need to discuss that further with the developer of the node, to have a clean way to do that.
Before I start adjusting my setup, does anybody see some disadvantages in this approach?
Thanks!!!
EDIT: it would even better if I could somehow restrict access in ngrox to my domain, so that only the Google servers can access it. Not sure if that is possible...
I hear you. I got a similar request from my wife some time ago.
WARNING: This is a bit off topic
I started earlier this year, built a wiki and documented our network environment first. I was, however, never able to explain it to her. She is not a tekkie, hence she is having a hard time to understand for us simple basics: "what is an ip address", what is "subnet", etc. And I very well recall how hard it was for me to learn it back in the days. I am not blaming her, it is just not her business.
I hope my son is willing to learn all that. He and I agreed to do so and I have the feeling it is time now.
But for now I changed my documentation to a "2-step-emergency-plan". And with some help from friends she would be able to cope with it:
Network:
Replace firewall and modem with a fritzbox, get rid of the managed switches, put everything in a single subnet. Get yourself a repeater for the upper floor. I made a plan what to do and how to connect everything. It is rather simple then
Home Automation:
Do it with loxone only again. My electrician can help. Yes, they will lose a lot of the comfort they got used to, Siri control f.e. or some automation, but hey, it'll work as it should in any normal house, without a learning curve.
And for any additional "service" we have today, like NAS, camera, SAT IP tv, etc., - if it's not worth for you going through the hassle to understand it, get rid of it. A NAS harddisk backup is available, btw.
This is why I make sure that everything I automate can still be used manually or via some simple app. Most of the automations are on top of standard controls. Most of the automated lighting, for example, is via plug-in units that could easily be replaced by timers or manual control.
Every hole you open (be it through a remote provider who is securing the hole) or any other method is another point of penetration to your network
You are making it more complex than it needs to be - i.e. what is your use case for needing both ?
In case you are not aware - as well as having Node to Node access in Zerotier (i.e. each device within a network can access each other device) - you can also install the Zerotier client in Gateway mode ( a bit more complex) and this will then allow access to the parts of your network that you allow
You can install multiple networks with the free account and a single device can join multiple networks - so you could have two instances of Node Red - one that was for display only i.e. a dashboard that was updated through MQTT and the other with your running instance of NR. You could then have your phone in both networks, but someone elses phone only on the single display only instance (and you could further lock that down with linux firewalls to only allow certain ports etc
(even if your private domain is not registered with them, they will let you manage it on their nameservers at no cost).
